The undetectability in your point #4 is the part worth sitting with — and it isn't a Zcash-specific failure, it's the structural cost of any shielded pool.
A counterfeiting bug is a soundness break (forging a valid proof of a false statement), which is a different and scarier class than a privacy / zero-knowledge leak. On a transparent chain a soundness break surfaces instantly as a supply-audit mismatch — you sum the outputs and the math doesn't close. In a shielded pool you've traded that auditability away for privacy, so by construction you can't prove after the fact whether anyone minted. Hidden amounts cut both ways.
Worth being precise about scope: the specific flaw won't transfer across designs — Monero's RingCT/Bulletproofs is a completely different construction from Zcash's Halo2, so this exact bug is Orchard-only. But the class risk — "you can't audit a supply you deliberately hid" — is shared by every confidential-amount system, Monero included. It's the tax you pay for the privacy, not a Zcash mistake.
The real headline is your #3: an AI-assisted review caught a soundness bug that four years of scrutiny by the world's best cryptographers missed. That's the part that generalizes.
The undetectability in your point #4 is the part worth sitting with — and it isn't a Zcash-specific failure, it's the structural cost of any shielded pool.
A counterfeiting bug is a soundness break (forging a valid proof of a false statement), which is a different and scarier class than a privacy / zero-knowledge leak. On a transparent chain a soundness break surfaces instantly as a supply-audit mismatch — you sum the outputs and the math doesn't close. In a shielded pool you've traded that auditability away for privacy, so by construction you can't prove after the fact whether anyone minted. Hidden amounts cut both ways.
Worth being precise about scope: the specific flaw won't transfer across designs — Monero's RingCT/Bulletproofs is a completely different construction from Zcash's Halo2, so this exact bug is Orchard-only. But the class risk — "you can't audit a supply you deliberately hid" — is shared by every confidential-amount system, Monero included. It's the tax you pay for the privacy, not a Zcash mistake.
The real headline is your #3: an AI-assisted review caught a soundness bug that four years of scrutiny by the world's best cryptographers missed. That's the part that generalizes.